Menu
I trying to get the current WindowsIdentity from a caller of an ASP.Net Application without impersonation.
After reading some articles my setup is:
For testing purposes, I wrote the following log statements
m_techLogger.Warn(string.Format("Request[LOGON_USER] {0}", Request["LOGON_USER"]));
m_techLogger.Warn(string.Format("Request.LogonUserIdentity {0}", Request.LogonUserIdentity.Name));
m_techLogger.Warn(string.Format("HttpContext.Current.User.Identity {0}", HttpContext.Current.User.Identity.Name));
m_techLogger.Warn(string.Format("WindowsIdentity.GetCurrent() {0}", WindowsIdentity.GetCurrent().Name));
This statements returned the following
2015-04-23 10:47:19,628 [7] WARN - Request[LOGON_USER] DOMAIN\User
2015-04-23 10:47:19,681 [7] WARN - Request.LogonUserIdentity NT AUTHORITY\SYSTEM
2015-04-23 10:47:19,681 [7] WARN - HttpContext.Current.User.Identity NT AUTHORITY\SYSTEM
2015-04-23 10:47:19,681 [7] WARN - WindowsIdentity.GetCurrent() NT AUTHORITY\SYSTEM
I understand that WindowsIdentity.GetCurrent().Name returns the System User. I do not understand why the output from Request.LogonUserIdentity and Request[LOGON_USER] are different. I need the WindowsIdentity Object from the User with the name that returned by Request[LOGON_USER].
Can anybody point me in the right direction?
758
The ServerVariables collection retrieves the values of predetermined environment variables and request header information. Server variables obtain most of their information from headers. It is wise to not trust the data that is contained in headers, as this information can be falsified by malicious users.
ServerVariables("REMOTE_ADDR") is Always the Same. If your scripts use Request. ServerVariables("REMOTE_ADDR") to get the client's IP address, they will always show the same, internal IP address due to the load balancers used for hosting your site. You can get the client's remote IP using Request.
HttpContext.Current.Request.ServerVariables("LOGON_USER") Request.ServerVariables("LOGON_USER") it will work only when Windows Integrated Authentication is turned on and Anonymous. Access is turned off. in this case, the Request.ServerVariables("LOGON_USER") will return the network.
ServerVariables HTTP_X_FORWARDED_FOR is NULL when it is used to fetch the IP Address in ASP.Net using C# and VB.Net.
Request["LOGON_USER"] is only the authentication header that the client has sent to the server. Which means it is the login name of the client sending a request to your server. This login name will not be verified against the Active Directory unless you activate the impersonation. More info here: https://msdn.microsoft.com/en-us/library/ms524602(v=vs.90).aspx
Now without using impersonation you are therefore stuck. You can check the user in the Request["LOGON_USER"] against your AD on your server. But I do not recommend you doing that. Because a hostile client could just send any username in that field and get logged on your server if that user exists.
The correct way of doing this is to enable impersonation and you use an AD group to allow the users to do what your service is now doing and you activate that by just adding this to your IIS config
<configuration>
<system.web>
<identity impersonate="true"/>
</system.web>
</configuration>
But if you really can’t use impersonation you can hack yourself out of this by impersonate a service account using the Win32 API. If you want to do that yourself here is the examples from Microsoft https://msdn.microsoft.com/en-us/library/chf6fbt4.aspx and https://msdn.microsoft.com/en-us/library/system.security.principal.windowsidentity.aspx
Or you can find a good wrapper here: How do you do Impersonation in .NET?
And using it is as easy as this:
using (new Impersonation(domain, username, password))
{
// probably connecting to some bad 3rd party stuff that needs a very specific access.
}
Now without knowing more about your actual reason for doing this I hope this will help you further along the road and only do this if it’s absolutely necessary
68
When I try the same I get
Request.LogonUserIdentity.Name "DOMAIN\\accountname" (no capital letter)
Request["LOGON_USER"] "DOMAIN\\Accountname" (capital letters)
To get the current user in our asp.net application, I user this line of code
User.Identity.Name
Does this help in any way?
31
System.Web.HttpContext.Current.User.Identity.Name
Gets or sets security information for the current HTTP request. (The Name of the Logged in user on your Website)
Request.ServerVariables
Gets a collection of Web server variables.
The Request property provides programmatic access to the properties and methods of the HttpRequest class. Because ASP.NET pages contain a default reference to the System.Web namespace (which contains the HttpContext class), you can reference the members of HttpRequest on an .aspx page without using the fully qualified class reference to HttpContext.
Conclussion
Both work to the same, but, whith Request.ServerVariables you can iterate for whole the collections dynamically.
For example:
int loop1, loop2;
NameValueCollection coll;
// Load ServerVariable collection into NameValueCollection object.
coll=Request.ServerVariables;
// Get names of all keys into a string array.
String[] arr1 = coll.AllKeys;
for (loop1 = 0; loop1 < arr1.Length; loop1++)
{
Response.Write("Key: " + arr1[loop1] + "<br>");
String[] arr2=coll.GetValues(arr1[loop1]);
for (loop2 = 0; loop2 < arr2.Length; loop2++) {
Response.Write("Value " + loop2 + ": " + Server.HtmlEncode(arr2[loop2]) + "<br>");
}
}
Have your tried to user
User.Identity.Name
assuming you are after Windows users, as you have mentioned. What output it gives?
Also, does your config file has these settings:
<authentication mode="Windows"/>
<identity impersonate="true"/>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
